This Malware Can Hit Hundreds Of Banks, Warn Researchers

A new malware, dubbed ShadowPad was found lurking in software used by “hundreds” of global banks, energy firms and pharmaceutical companies for 17 days. The backdoor was found hidden in digitally signed software sold by the software developer NetSarang. The ShadowPad backdoor has already been activated by hackers against an unspecified firm in Hong Kong. [Read the full press release here]

NetSarang’s software was available from 17 July to 4 August, before the backdoor was uncovered by Kaspersky Lab researchers. NetSarang confirmed that its software was “unknowingly shipped with a backdoor.” The firm has also issued out a security update to shut down the backdoor.a

ShadowPad can be “silently” deployed within targets’ computers and when activated, can allow hackers to steal data. Kaspersky also warned that Shadow Pad “could be lying dormant on many other systems worldwide, especially if the users have not installed the updated version of the affected software.”

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” Kaspersky Lab security expert Igor Soumenkov said in a statement.

“The security of our customers and user base is our highest priority and ultimately, our responsibility,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

“Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software,” Kaspersky Lab researchers said in a blog. “Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components.”

So far, according to Kaspersky Lab research, the malicious module has been activated in Hong Kong, but it could be lying dormant on many other systems worldwide, especially if the users have not installed the updated version of the affected software.

While analyzing the tools, techniques and procedures used by the attackers, Kaspersky Lab researchers came to the conclusion that some similarities exist that point to PlugX malware variants used by the Winnti APT group, a known Chinese-speaking cyberespionage group. This information, however, is not enough to establish a precise connection to these actors.

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” said Igor Soumenkov, security expert, Global Research and Analysis Team, Kaspersky Lab. “Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against its clients; however, this case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software.”

“To combat the ever-changing landscape of cyberattacks, NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected or utilized by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator.

The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.

Ankush Johar, Director at Bugsbounty.com - a crowdsourced security platform for ethical hackers and businesses commented, “This incident clearly highlights that threats may be lurking in the background, and may not be your fault at all. This is a clear third party threat. The only thing a security-conscious enterprise can undertake is to deploy ‘intrusion-aware’ and ‘intrusion-prevention’ tools, open-source or paid, to avert any such debacles.”

He believes, large software companies whose tools and solutions are being used by critical sectors, need to up the ante on their own security. They carry significant risk, which needs to be mitigated by incorporating crowd-security, the ultimate form of cyber security, before every public release. In-sourcing and outsourcing are clearly not enough.”

“Organisations should instantly update any NetSarang software they are using (if any) and also make sure that the antimalware solutions are equipped with the latest updates too,” he said, adding that “India, with its excessive use of pirated software, needs to be even more cautious of such incidents. One machine could prove to be the Achilles heal for the entire organisation. “

While many believe CIO's role is evolving and that he's occupying a key place in the boardroom, a recent study brings to light that more than half of the CIO, CTO or IT admin staff (55%) are not thanked by colleagues for carrying out essential IT tasks on their behalf.